Windows 10: Windows memory integrity + Intel sgx

Discus and support Windows memory integrity + Intel sgx in Windows 10 Virtualization to solve the problem; Winver 1803 ( build 17134.254)
Sorry for this long post but wanted to provide as much info as I can. Hopeful I am posting in the right area.
When I...
Discussion in 'Windows 10 Virtualization' started by humbird, Sep 6, 2018.

Windows memory integrity + Intel sgx

Winver 1803 ( build 17134.254)

Sorry for this long post but wanted to provide as much info as I can. Hopeful I am posting in the right area.
When I try to enable memory integrity in windows
security I get the below message event ID 157.I am a complete noob in this area.
When I turn it back off I do not see this warning.
Seems the more I read about it the less I understand what to do.

Event ID157 Hypervisor did not enable mitigations for cve-3646 for
virtual machines because hyperthreading is enabled and the hypervisor
core scheduler is not enabled. To enable mitigations for CVE-2018-3646
for virtual machines enable core scheduler by running "bcdedit/set
hypervisorschedulertype core" from an elevated command prompt and reboot.

Intel SGX is enabled .Have had a recent BIOS update for mitigations.
Also in system information it says hyperthreading is enabled

"bcdedit/sethypervisorschedulertype core"
(mine is root 0x4}
I know how to run a command from admin command prompt ,
just not sure of the specific command and can I do it with hyperthreading enabled and intels SGX enabled (for my fingerprint reader)
Should I just leave memory isolation off?
Thank you for any help.

In accordance with the recent public security advisory INTEL-SA-00106 published for the Intel® Integrated Performance Primitives Cryptography Library, new versions of the Intel® SGX SDK and Intel® SGX PSW have been released.

Affected Products:
Intel® SGX SDK and Intel® Platform Software for Windows before version 2.01.
Intel® SGX SDK and Intel® Platform Software for Linux before version 2.1.3.

Windows memory integrity + Intel sgx

Which SGX setting to choose in BIOS

I had noticed that even though I had Software Guard Extensions(SGX) set to "Software Controlled" in BIOS, that it wasn't showing up in Device Manager.
Then it came to me, that on my last system build(an MSI mainboard with a 6700K) that MSI had included the driver in the downloads support for the board, and also through their MSI driver & software updater.
ASUS though doesn't offer it.
I suppose this is because my ASUS board is a Gaming board and my MSI was a Professional(workstation) board, and ASUS thinks that gamers have no use for this security option*Sad

Use something like 7 Zip and extract all files from the .cab folder, then double click the installer.

Information

Note SGX is only available for Intel CPUs from 7th gen Core Kaby Lake and above.What is SGX:

Intel® Software Guard Extensions (Intel® SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification. Intel® SGX makes such protections possible through the use of enclaves. Enclaves are protected areas of execution. Application code can be put into an enclave via special instructions and software made available to developers via the Intel® SGX SDK.

Why is the software controlled setting better than enabled in BIOS for consumers as opposed to business:

BIOS Support

BIOS support is required for Intel SGX to provide the capability to enable and configure the Intel SGX feature in the system.
The system owner must opt in to Intel SGX by enabling it via the BIOS. This requires a BIOS from the OEM that explicitly supports Intel SGX. The support provided by the BIOS can vary OEM to OEM and even across an OEM’s product lines.
There are three possible BIOS settings.

Click to expand...

Enabled
Intel Software Guard Extensions (Intel® SGX) is enabled and available for use in applications.

Software Controlled
Intel SGX can be enabled by software applications, but it is not available until this occurs (called the “software opt-in”). Enabling Intel SGX via software opt-in may require a system reboot.

Disabled
Intel SGX is explicitly disabled and it cannot be enabled through software applications. This setting can only be changed in the BIOS setup screen.

Note: Your BIOS may only have the Enabled and Disabled options, or it may not have these options if it only supports the Software Controlled option (or if it doesn’t support Intel SGX at all). Check with your device manufacturer to determine whether or not Intel SGX is supported on your system.
When Intel SGX is set to Enabled in the BIOS, Intel SGX has been enabled, and Intel SGX instructions and resources are available to applications.
When Intel SGX is set to Software Controlled, Intel SGX is initially disabled until it is enabled via a software application

What is the point of the Software Controlled state?

(When set to enabled in BIOS)Intel SGX reserves up to 128 MB of system RAM as Processor Reserved Memory (PRM), which is used to hold the Enclave Page Cache (EPC). While its exact size is determined by the BIOS settings, it is important to note that enabling Intel SGX consumes a portion of the system’s resources, effectively making them unavailable to other applications.

(When set to Software Controlled in BIOS)The Software Controlled setting in the BIOS allows OEMs to ship systems with support for Intel SGX in a ready state, where it can be activated via software (this is the software opt-in). This is a compromise between having Intel SGX fully enabled by default and potentially consuming system resources even when no Intel SGX software is present on the system and having it turned off completely. Allowing the activation to occur via software eliminates the need for end users to boot their systems into their BIOS setup screens and manually enable Intel SGX via that interface, a potentially daunting task for nontechnical users.

Software enabling is a one-way operation: Intel SGX cannot be disabled via software. The only ways to disable Intel SGX once it has been enabled are to do so via the BIOS:

Explicitly set Intel SGX to Disabled if the BIOS provides this option.
Or:
Flash a new BIOS image to the device, which resets Intel SGX support in the BIOS to the default state (either Disabled or Software Controlled, depending on the BIOS provider).

Uses hardware-based mechanisms to respond to remote attestation challenges that validate its integrity

Works in concert with other enclaves owned or trusted by the parent application

Can be developed using standard development tools, thereby reducing the learning curve impact on application developers

Supports initial data center use (such as protected transport layer security (TLS) keystore management) as well as proof of concept and development work for future data center platforms and solutions. This includes encrypted database operations, trusted big data computing, network functions virtualization (NFV), and secure monitoring, blockchain, and other important data center security uses that leverage added data protection while in use.

Windows memory integration: I turned on memory integration and now i can't boot into Windows
https://answers.microsoft.com/en-us/windows/forum/all/windows-memory-integration/0dba0d02-b98d-4d0d-9633-6077dc13d279

Intel SGX Event Items: Hi there,
To the best I know, I have never installed Intel Software Guard. However, even so, I have a driver installed and an AESM service running. I get quite a few Application Errors in Event Manager on this service.
I can find no way to uninstall this since I don't...

Security- Memory integrity hacked: I am stymied. Memory integrity has been hacked. Cannot get it to stay in on position. Cannot download Norton. Cannot talk to a virtual agent. Do I need to replace with new windows?...

memory integrity: When I play Video with the memory integrity feature enable, I have blue screen.
Because this happens???
https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/memory-integrity/3975a992-b0a7-4645-aa18-b4efa1640dc5

Memory integrity will not turn on: I tried to turn on Windows 10 Memory integrity core, under Device Security for Defender, but it won't let me saying there is a device incompatibilty.
I know that all VMM is turned on in BIOS on my B75a-G43 , and virtual software is turned on in windows services as it had to...

Windows memory integration: I turned on memory integration and now i can't boot into Windows
https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/windows-memory-integration/73fd972a-2d14-4b4e-97e9-69665315a147

Users found this page by searching for:

unless I turn on core scheduling I am unprotected against CVE-3646

bcdedit /set hypervisorschedulertype core

The hypervisor did not enable mitigations for CVE-2018-3646 for virtual machines

,

The hypervisor did not enable mitigations for CVE-2018-3646 for virtual machines because HyperThreading is enabled and the hypervisor core scheduler is not enabled,

The hypervisor did not enable mitigations ,

hypervisor did not enable mitigations for CVE-2018-3646 for virtual machines because HyperThreading is enabled and the hypervisor core scheduler is not enabled. To enable mitigations for CVE-2018-3646 for virtual machines,

the hypervisor did not enable mitigations for cve-2018-3646 for virtual machines because hyper threading is enabled and the hypervisor core scheduler is not enable,